Botnets are a Serious Threat to First Responders

Date: 2010-12-21

The unfortunate reality for public safety organizations that house confidential and sensitive data, including the personal information of employees and citizens, is that there is no end to cybersecurity threats such as botnets, worms, and hacking.

Botnets, or zombie armies, are perhaps the most worrisome cybersecurity threat. When these nearly invisible threats strike, they have full access to the information they seek – as if the perpetrator is standing over your shoulder recording every password, data entry and information transfer. Unlike the disk-crashing, network-freezing worms and Trojan horses of a few years ago, bots are designed to leave networks and computers running seamlessly by all outward appearances while they siphon data out to their “bot masters” and avoid detection.

The growth of information sharing and converged networks has undoubtedly improved first response efforts. However, greater information sharing also means botnets have greater opportunity to infiltrate sources that store confidential information, including:

Medical Records. New versions of medical equipment, such as ultrasound and electrocardiogram (EKG) machines, might become available, but first responders often update equipment only when absolutely necessary because of the sizable investment required. The latest version might include software patches to help combat cybersecurity threats, but the older version of the machine might not – leaving it more vulnerable to cyber attacks. Using botnets, cyber criminals can access the information housed on medical devices or even shut the machines down

Alarm Systems. Although not entirely under a public safety organization’s control, botnets are a costly threat in their ability to alter alarm system warnings, causing unneeded attention to false alerts or preventing alarms from sounding altogether. Criminals can trip an alarm at one location – dispatching police forces to that location – while they commit a crime at a different location

Mobile Technology. Botnet penetration of mobile technology used in patrol cars can undermine important law enforcement efforts. Confidential information, including the location of patrol cars, personal information on informants or undercover agents, and license plate numbers can be compromised. Given the right circumstances, cyber criminals could tap into networks to discover the time and location of police and informant meetings, putting lives in danger

Most state and local first responders are already taking steps to minimize the chance of network penetration and, if an attack occurs, to isolate the threat and eliminate it. However, limited budgets and staff can mean cybersecurity efforts are inadequate or uncoordinated. An optimal strategy can be created using a combination of the CDW-G-developed approaches below. CDW-G recommends that agencies select tactics based on the size and type of agency, available budget and IT staff, and the sensitivity of the information that must be secured.

Install a Windows Firewall. Though sometimes tempting for users to disable, a Windows firewall can block many network-based exploits when properly configured. This measure is especially appropriate for large agencies with many similarly configured machines

Disable AutoRun. The autorun feature, which automatically installs software, should be disabled to prevent operating systems from blindly launching commands from foreign sources

Break Password Trusts. Judicious control over local accounts, especially the local administrator account, is critical to isolating and eliminating threats. Disabling computers’ ability to automatically connect to each other closes the path that botnets take to spread to the internal network. This is particularly critical in environments where machines store highly confidential data

Consider Network Compartmentalization. In most computing environments, workstations do not need to communicate with each other across departments. Shutting down this capability goes a long way toward preventing the spread of botnets. IT managers should establish private virtual local area networks (VLANs), or access control lists (ACLs) between subnetworks to limit exposure. This strategy is not a good fit, however, in environments that mix voice and data communications, as it tends to break the ability to negotiate virtual circuits on the fly

Provide Least Privilege. When users are not administrators of their own workstations, it is much harder for malware to propagate via drive-by download or for AutoRun methods to take hold on a system. Preventing users from being administrators also makes it more difficult for their user account credentials to spread malware, should the computer become infected

Install Host-Based Intrusion Prevention. To keep botnets from taking root in a system, IT managers should concentrate additional protections on specific network layers based on vulnerability, such as at points of contact between specific hardware and software. This approach does not fix technical flaws or holes in operating systems or application software, but it can reduce the chances that exploits will be successful. These tools are highly effective, but they are expensive and challenging to deploy

Enhance Monitoring. The more information IT managers have about how users and the network operate in normal activity, the easier it is for them to determine in real time when a botnet infestation causes slight anomalies. A range of products can be deployed to collect data on network traffic, train devices to monitor abnormalities, and identify and prevent intrusions. The key to success is around-the-clock monitoring; however, even with remote managed security services filling the gap, enhanced monitoring might be beyond the capabilities of many first responder organizations

Filter Data Leaving the Network. Botnets typically establish communication with one or more remote servers that hackers use to retrieve private information. To stop these communications, and the threats associated with them, agencies can prohibit unwanted traffic from leaving the network, a tool known as egress filtering. Agencies should force Internet traffic through proxies or content filters (see below), or deploy a data loss prevention (DLP) solution

Use a Proxy Server. While it is impractical to block all potentially hostile outbound traffic, forcing outbound traffic through a proxy server will give agencies a secondary choke point for monitoring and controlling Web access, and for defeating some attempts to tunnel around security measures. Content filtering is appropriate for almost any agency

Install Reputation-Based Filtering. Tools like IronPort and WebSense can help block email from, and requests to, addresses that have reputations as potential malware sources

Monitor DNS Queries. How a workstation responds to domain name system (DNS) queries is often an early warning sign that the workstation may be infected. Specifically, responses from workstations that contain very low time-to-live (TTL) values should be monitored, as low TTL can indicate infection. Early detection allows system administrators to act before the infection spreads too far

Peyton Engel is a technical architect at CDW Government (CDW-G), a leading source of IT solutions to government, education and healthcare where he is responsible for leading the company’s security assessment team